Secure computation system, secure computation device, secure computation method, and program

ABSTRACT

Fisher&#39;s exact test is efficiently computed through secure computation. A computation range determination part  12  determines i 0 , i 1 , x 0 , x 1 . A preliminary computation part  13  computes f(x 0 ), . . . , f(x 1 ), and generates an array M=(f(x 0 ), . . . , f(x 1 )). A securing part  14  secures the array M, and generates a secure text array &lt;M&gt;=(&lt;f(x 0 )&gt;, . . . , &lt;f(x 1 )&gt;). A batch-reading part  15  executes the following formulae, and generates a function value secure text (&lt;f(a i )&gt;, &lt;f(b i )&gt;, &lt;f(c i )&gt;, &lt;f(d i )&gt;)(i 0 ≤i≤i 1 ). 
       (&lt; f ( a   i     0   )&gt;,&lt; f ( a   i     0     +1 )&gt;, . . . ,&lt; f ( a   i     1   )&gt;)←BatchRead(&lt; M&gt;;&lt;a&gt;;i   0   ,i   0 +1, . . . , i   1 ),
 
       (&lt; f ( b   i     0   )&gt;,&lt; f ( b   i     0     +1 )&gt;, . . . ,&lt; f ( b   i     1   )&gt;)←BatchRead(&lt; M&gt;;&lt;b&gt;;−i   0 ,−( i   0 +1, . . . ,− i   1 ),
 
       (&lt; f ( c   i     0   )&gt;,&lt; f ( c   i     0     +1 )&gt;, . . . ,&lt; f ( c   i     1   )&gt;)←BatchRead(&lt; M&gt;;&lt;c&gt;;−i   0 ,−( i   0 +1, . . . ,− i   1 ),
 
       (&lt; f ( d   i     0   )&gt;,&lt; f ( d   i     0     +1 )&gt;, . . . ,&lt; f ( d   i     1   )&gt;)←BatchRead(&lt; M&gt;;&lt;d&gt;;i   0   ,i   0 +1, . . . , i   1 )

TECHNICAL FIELD

The present invention relates to applied cryptographic technology and,in particular, to technology of computing Fisher's exact test withoutdisclosing input data.

BACKGROUND ART

Fisher's exact test has been widely known as one of statistical testmethods that perform a hypothesis test on the presence or absence of anassociation between explanatory variables and response variablesprovided as a 2×2 contingency table. Non-patent literature 1 describesthe genome-wide association study (GWAS) as a usage example of Fisher'sexact test.

Fisher's exact test is described. The following table is an example of a2×2 contingency table where n subjects are classified and countedaccording to the presence or absence of mutation and the presence orabsence of the onset of a predetermined disease.

With Without Subtotal due mutation mutation to disease With disease a bn₁• Without disease c d n₂• Subtotal due to n•₁ n•₂ n mutationIn the table, a, b, c and d represent frequencies. n_(1⋅), n_(2⋅),n_(⋅1) and n_(⋅2) represent subtotals. n_(1⋅)=a+b, n_(2⋅)=c+d,n_(⋅1)=a+c, n_(⋅2)=b+d. All of a, b, c, d, n_(1⋅), n_(2⋅), n_(⋅1) andn_(⋅2) are non-negative integers.

Here, for a non-negative integer i, the probability p_(i) defined by anequation (1) is computed. According to the magnitude relationshipbetween the sum of probabilities p represented by an equation (2) and apredetermined value α, which is called a significance level, thepresence or absence of association between explanatory variables (thepresence or absence of mutation in the above table) and responsevariables (the presence or absence of the disease in the above table) istested. Here, p_(a) is a probability value computed by the equation (1)about the contingency table where actual aggregation values a, b, c andd are adopted as frequencies.

$\begin{matrix}{p_{i} = \frac{{\left( {a + b} \right)!}{\left( {c + d} \right)!}{\left( {a + c} \right)!}{\left( {b + d} \right)!}}{{\left( {a + i} \right)!}{\left( {b - i} \right)!}{\left( {c - i} \right)!}{\left( {d + i} \right)!}{\left( {a + b + c + d} \right)!}}} & (1) \\{p = \underset{{i\mspace{14mu} {s.t.\mspace{14mu} p_{i}}} \leq {{p_{a}\bigwedge a} + i} \geq {{0\bigwedge b} - i} \geq {{0\bigwedge c} - i} \geq {{0\bigwedge d} + i} \geq 0}{\sum p_{i}}} & (2)\end{matrix}$

Methods of obtaining specific operation results without decryptingencrypted numerical values include a method called secure computation(see Non-patent literature 2, for example). The method of Non-patentliterature 2 performs encryption that allows three secure computationdevices to hold the divided fragments of the numerical value, and thethree secure computation devices perform cooperative computation, whichcan allow the three secure computation devices to hold the results ofaddition and subtraction, constant addition, multiplication, constantmultiplication, logical operation (negation, logical multiplication,logical addition, and exclusive OR), and data notation conversion(integer, and binary numeral) without decrypting the numerical value, ina state of being distributed among the three secure computation devices,i.e., being left encrypted.

There is a conventional research that performs genome-wide associationstudy while keeping genome information secret using cryptographictechnology, in consideration of the sensitivity and secrecy of thegenome information (see Non-patent literature 3, for example).Non-patent literature 3 proposes a method of performing a chi-squaretest while keeping genome information secret.

PRIOR ART LITERATURE Non-Patent Literature

Non-patent literature 1: Konrad Karczewski, “How to do a GWAS” Lecturenote in GENE 210: Genomics and Personalized Medicine, 2015.

Non-patent literature 2: Koji Chida, Koki Hamada, Dai Ikarashi, andKatsumi Takahashi, “A Three-Party Secure Function Evaluation withLightweight Verifiability Revisited”, CSS 2010, 2010.

Non-patent literature 3: Yihua Zhang, Marina Blanton, and GhadaAlmashaqbeh, “Secure distributed genome analysis for gwas and sequencecomparison computation”, BMC medical informatics and decision making,Vol. 15, No. Suppl 5, p. S4, 2015.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

In computation of each probability p_(i) by Fisher's exact test, thesame computations, such as x! and log(x!), appear many times. Providedthat the computation is of a function f(x), the computation results . .. , f(−1), f(0), f(1), f(2), . . . of the functions f(x) arepreliminarily computed and the values of computation results arereferred to as required, thereby allowing the efficiency to be improved.However, according to the conventional art, it is assumed thata_(i)=a+i, b_(i)=b−i, c_(i)=c−i, and d_(i)=d+i, and it is also assumedthat in computation of f(a+b), f(c+d), f(a+c), f(b+d), f(a+b+c+d),f(a_(i)), f(b_(i)), f(c_(i)), and f(d_(i)), let m be the number of typesof values of computation results, let n be the number of types ofprobabilities p_(i) to be computed (i.e., i=0, . . . , n−1), a tablehaving a size of m is required to be referred to 4n+5 times. Inparticular, in a case of achieving the reference through securecomputation, a computation amount of O(m) is required to refer to thetable having a size of m. Consequently, the entire computation amount isO(mn).

In view of the above point, the secure computation technology of thepresent invention has an object to compute Fisher's exact testefficiently through secure computation.

Means to Solve the Problems

To solve the above problems, a secure computation system of the presentinvention is a secure computation system comprising three or more securecomputation devices, wherein a, b, c, and d are non-negative integers, ais a frequency on a first row and a first column in a 2×2 contingencytable, b is a frequency on the first row and a second column in thecontingency table, c is a frequency on the second row and the firstcolumn in the contingency table, d is a frequency on the second row andthe second column in the contingency table, <a>, <b>, <c>, and <d>aresecure text pieces of respective frequencies a, b, c, and d, andBatchRead(<α>; <β>; j₀, . . . , j_(m−1)) represents a function ofgenerating secure text (<α[β+j₀ mod n]>, . . . , <α[β+j_(m −1) mod n]>)having a size of m from secure text <α>=(<α[0]>, <α[1]>, . . . ,<α[n−1]>) having a size of n, the secure computation device comprises: acomputation range determination part that determines i₀, i₁, x₀ and x₁that satisfy i₀≤i₁ and x₀≤x₁; a preliminary computation part thatcomputes f(x₀), . . . , f(x₁), and generates an array M=(f(x₀), . . . ,f(x₁)), for a freely selected function f(x); a securing part thatsecures the array M, and generates a secure text array <M>=(<f(x₀)>, . .. , <f(x_(i))>); and a batch-reading part that executes a followingformulae, and generates a function value secure text (<f(a_(i))>,<f(b_(i))>, <f(c_(i))>, <f(d_(i))>) (i₀≤i ≤i₁),

(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>, . . . ,<f(a _(i) ₁)>)←BatchRead(<M>;<a>;i ₀ ,i ₀+1, . . . ,i ₁),

(<f(b _(i) ₀ )>,<f(b_(i) ₀ ₊₁)>, . . . ,<f(b _(i) ₁)>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1, . . . ,−i ₁),

(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>, . . . ,<f(c _(i) ₁)>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1, . . . ,−i ₁),

(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>, . . . ,<f(d _(i) ₁)>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1, . . . ,i ₁),

Effects of the Invention

According to the present invention, the values of functions of frequencyf(a_(i)), f(b_(i)), f(c_(i)), and f(d_(i)), which are computationtargets, can be efficiently obtained without disclosing the frequenciesa, b, c, and d in the contingency table, which are to be inputs ofFisher's exact test. Consequently, Fisher's exact test can beefficiently computed through secure computation. Furthermore, Fisher'sexact test can be executed, with the genome information being keptsecret. That is, for example, execution results of Fisher's exact teston integrated data can be obtained while genome data items held bymultiple research institutes are kept secret and are not disclosed toeach other, an execution environment for genome analysis having asignificantly high security level can be provided, and furtherdevelopment in healthcare can be expected accordingly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram exemplifying a functional configuration of a securecomputation system;

FIG. 2 is a diagram exemplifying a functional configuration of a securecomputation device; and

FIG. 3 is a diagram exemplifying processing procedures of a securecomputation method.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Prior to description of embodiments, notations in this Description andthe definitions of terms used in this Description are described.

Notation

A value secured by applying encryption or secret sharing to a certainvalue “a” is called the secure text of “a” and is represented as <a>.Meanwhile, “a” is called the plain text of <a>. In a case where thesecuring is secret sharing, a set of the secret sharing fragments heldby the individual parties according to <a>is referred to.

Secure Shift

A process of adopting, as inputs, secure text array <a>=(<a[0]>, <a[1]>,. . . , <a[n−1]>) having a size of n, and secure text <d>having a shiftamount of d, and of computing a secure text array <a′>=(<a[d]>,<a[d+1]>, . . . , <a[n−1]>, <a[0]>, <a[d−1]>) with <a>being shiftedleftward by d, is called secure shift, and is described by the followingformula.

<a′>←Shift(<a>,<d>)

A method of achieving the secure shift is described in the followingreference document 1.

[Reference Document 1] Koki Hamada, Naoto Kiribuchi, and Dai Ikarashi,“A round-efficient pattern matching algorithm for secure multi-partycomputation”, Computer Security Symposium 2014, vol. 2014, pp. 674-681,October 2014

Batch-Reading Algorithm

A batch-reading algorithm adopts, as inputs, secure text array<a>=(<a[0]>, <a[1]>, . . . , <a[n−1]>) having a size of n, secure text<x>of a natural number x representing a position, and m plain textpieces j₀, j₁, . . . , j_(m−1) representing a relative position from x,and obtains m secure text pieces <b>=(<a[x+j₀ mod n]>, <a[x+j₁ mod n]>,. . . , <a[x+j_(m−1) mod n]>) without disclosing the values of x anda[0], a[1], . . . , a[n−1]. Hereinafter, the batch-reading algorithm isdescribed by the following formula.

<b>←BatchRead(<a>;<x>;j₀,j₁, . . . ,j_(m−1))

The batch-reading algorithm can be more efficiently executed byimplementation as follows using the secure shift as described above.Note that the batch-reading algorithm applicable to the presentinvention is not limited thereto. Any algorithm capable of achieving theinput and output described above is applicable. First, secure text array<a>=(<a[0]>, <a[1]>, . . . , <a[n−1]>) having a size of n, secure text<x> of an integer x that is equal to or higher than 0 and less than n,and m plain text pieces j₀, . . . , j_(m−1) representing a relativeposition from x are input. Next, <a′>=(<a′[0]>, <a′[1]>, . . . ,<a′[n−1]>), where array <a> is shifted leftward by <x>, is obtained by<a′>←Shift(<a>,<x>). It is then assumed that <b[k]>=<a′[j_(k])>(0≤k<m),a secure text array <b>=(<b[0]>, <b[1]>, . . . , <b[m−1]>)=(<a′[j₀]>,<a′[j₁]>, . . . , <a′[j_(m−1]>)) is generated.

Hereinafter, embodiments of the present invention are described indetail. In the diagrams, configuration parts having the same functionsare assigned the same numerals, and redundant description thereof isomitted.

First Embodiment

A secure computation system of a first embodiment comprises n (≥3)secure computation devices 1 ₁, . . . , 1 _(n), as exemplified inFIG. 1. In this embodiment, the secure computation devices 1 ₁, . . . ,1 _(n) are each connected to a communication network 2. Thecommunication network 2 is a communication network that is of a circuitswitching scheme or a packet switching scheme and is configured to allowthe secure computation devices 1 ₁, . . . , 1 _(n)to communicate witheach other. For example, the Internet, a LAN (Local Area Network), a WAN(Wide Area Network) or the like may be used. Each device is notnecessarily capable of communicating online via the communicationnetwork 2. For example, it may be configured such that information to beinput into the secure computation devices 1 ₁(i∈{1, . . . , n}) may bestored in a portable recording medium, such as magnetic tape or a USBmemory, and input may be performed offline from the portable recordingmedium.

As exemplified in FIG. 2, the secure computation device 1 includes aninput part 11, a computation range determination part 12, a preliminarycomputation part 13, a securing part 14, a batch-reading part 15, and anoutput part 16. The secure computation device 1 performs the process ofeach step exemplified in FIG. 3, thereby achieving a secure computationmethod of the first embodiment.

The secure computation device 1 is, for example, a special deviceconfigured to include a publicly known or dedicated computer whichincludes a central processing unit (CPU) and a main memory (RAM: RandomAccess Memory) and the like and into which a special program has beenread. The secure computation device 1 executes each process undercontrol by the central processing unit, for example. Data input into thesecure computation device 1 and data obtained by each process are storedin the main memory, for example. The data stored in the main memory isread into the central processing unit as required, and is used foranother process. At least some of the processing parts of the securecomputation device 1 may be configured by hardware, such as anintegrated circuit.

Referring to FIG. 3, the processing procedures of the secure computationmethod of the first embodiment are described.

In step S11, a secure text (<a>, <b>, <c>, <d>) of a combination offrequencies (a, b, c, d) in a 2×2 contingency table is input into theinput part 11. Here, the 2×2 contingency table is defined by thefollowing formulae, and a, b, c and d are non-negative integers.

Subtotal due With event 1 Without event 1 to event 2 With event 2 a bn₁• Without event 2 c d n₂• Subtotal due to n•₁ n•₂ n event 1

In step S12, the computation range determination part 12 determinesvalues i₀, i₁, x₀ and x₁ that satisfy i₀≤i₁ and x₀≤x₁. Here, it isdetermined that i₀=−n, i₁=n, x₀=−n, and x₁=2n. The values x₀ and x₁ aretransmitted to the preliminary computation part 13. The values i₀ and i₁are transmitted to the batch-reading part 15.

In step S13, as for the function f(x), the preliminary computation part13 computes f(x₀), f(x₀+1), . . . , f(x₁), and generates an arrayM=(f(x₀), f(x₀+1), . . . , f(x₁)). In the first embodiment, to computethe probability p_(i) (i₀≤i≤i₁) defined by the following equation, thefunction f(x) is defined as f(x):=x!.

$p_{i} = \frac{{f\left( {a + b} \right)}{f\left( {c + d} \right)}{f\left( {a + c} \right)}{f\left( {b + d} \right)}}{{f\left( {a + b + c + d} \right)}{f\left( a_{i} \right)}{f\left( b_{i} \right)}{f\left( c_{i} \right)}{f\left( d_{i} \right)}}$

In step S14, the securing part 14 generates a secure text array<M>=(<f(x₀)>, <f(x₀+1)>, . . . , <f(x₁)>) where the array M is secured.The secure text array <M> is transmitted to the batch-reading part 15.

In step S15, the batch-reading part 15 executes the following formulae,and generates a function value secure text (<f(a_(i))>, <f(b_(i))>,<f(c_(i))>, <f(d_(i))>) (i=i₀, . . . , i₁).

(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>, . . . ,<f(a _(i) ₁)>)←BatchRead(<M>;<a>;i ₀,i₀+1, . . . ,i ₁),

(<f(b _(i) ₀ )>,<f(b _(i) ₀ ₊₁)>, . . . ,<f(b _(i) ₁)>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1, . . . ,−i ₁),

(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>, . . . ,<f(c _(i) ₁)>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1, . . . ,−i ₁),

(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>, . . . ,<f(d _(i) ₁)>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1, . . . ,i ₁),

In step S16, the function value secure text (<f(a_(i))>, <f(b_(i))>,<f(c_(i))>, <f(d_(i))>) is output from the output part 16.

Second Embodiment

Referring to FIG. 3, the processing procedures of the secure computationmethod of a second embodiment are described. Hereinafter, differencesfrom the first embodiment described above are mainly described.

In step S13, as for the function f(x), the preliminary computation part13 computes f(x₀), f(x₀+1), . . . , f(x₁), and generates an arrayM=(f(x₀), f(x₀+1), . . . , f(x₁)). In the second embodiment, theprobabilities log p_(i) (i₀≤i≤i₁) defined by the following equation arecomputed and then the probabilities p_(i)=exp(log p_(i)) are computed,the function f(x) is defined as f(x):=log(x!).

log p _(i) =f(a+b)+f(c+d)+f(a+c)+f(b+d)−f(a+b+c+d)−f(a _(i))−f(b_(i))−f(c _(i))−f(d _(i))

The point of the present invention is to utilize the fact that thedifferences of inputs a_(i0) , a_(i 0+1), . . . , a_(i1) of functionvalues f(a_(i0)), f(a_(i0+1)), . . . , f(a_(i1)) are information allowedto be disclosed, to achieve computation of function value secure text<f(a_(i0))>, <f(a_(i0+1))>, . . . , <f(a_(i)> efficiently, using thebatch-reading algorithm.

By such a configuration, according to the secure computation technologyof the present invention, multiple table references are collectivelyexecuted, thereby allowing Fisher's exact test to be efficientlycomputed. The computation amount of batch reading from an array having asize of n is O(n). Consequently, provided that 1+i₁−i₀=K and 1+x₁−x₀=L,the entire computation amount is improved from O(KL) to O(L).

The embodiments of the present invention have thus been described above.However, the specific configuration is not limited to that in theseembodiments. Even if the design is appropriately changed in a rangewithout departing from the spirit of the present invention, it is amatter of course that the configuration is included in the presentinvention. The various processes described in the embodiments can beexecuted in a time-series manner according to the order of thedescription. Alternatively, such execution may be performed in parallelor individually, in conformity with the processing capability of thedevice that executes the processes, or as required.

Program and Recording Medium

In the cases where the various processing functions in each devicedescribed in the embodiments are implemented with a computer, theprocessing content of the functions that each device should have isdescribed as a program. The program is executed by the computer, therebyachieving the various processing functions in each device describedabove on the computer.

The program that describes the processing content can be preliminarilyrecorded in a computer-readable recording medium. The computer-readablerecording medium may be, for example, any computer-readable recordingmedium, such as a magnetic recording device, an optical disk, amagneto-optical recording medium, or a semiconductor memory.

The program is distributed by, for example, selling, transferring, orlending a portable recording medium, such as DVD or CD-ROM, where theprogram is recorded. Alternatively, a configuration may be adopted wherethe program may be preliminarily stored in a storing device of a servercomputer, and the program may be transferred from the server computer toanother computer via a network, thereby distributing the program.

For example, the computer for executing such a program, first, storesthe program recorded in a portable recording medium or transferred froma server computer, temporarily in its storing device. At the time ofexecuting the process, the computer reads the program recorded in itsrecording medium, and executes the processes according to the readprogram.

According to another execution mode of this program, the computer maydirectly read the program from the portable recording medium, andexecute the processes according to the program. Further alternatively,every time the program is transferred to the computer from the servercomputer, the computer may successively execute the process according tothe received program. Another configuration may be adopted that executesthe processes described above through a service of what is called an ASP(Application Service Provider) type according to which the program isnot transferred from the server computer to the computer concerned, andthe processing function is achieved only by an execution instructiontherefor and acquisition of the result. The program according to theembodiments include information that is provided for the processes bythe computer and conforms to the program (data and the like that are notdirect instructions to the computer but have characteristics definingthe processes of the computer).

According to the embodiments, this device is thus configured byexecuting a predetermined program on the computer. Alternatively, atleast a part of the processing content may be achieved as hardware.

INDUSTRIAL APPLICABILITY

The secure computation technology of the present invention is applicableto, for example, execution of Fisher's exact test through securecomputation with genome information being kept secure, in genome wideassociation study that deals with sensitive information.

1. A secure computation system comprising three or more securecomputation devices, wherein a, b, c, and d are non-negative integers, ais a frequency on a first row and a first column in a 2×2 contingencytable, b is a frequency on the first row and a second column in thecontingency table, c is a frequency on the second row and the firstcolumn in the contingency table, d is a frequency on the second row andthe second column in the contingency table, <a>, <b>, <c>, and <d>aresecure text pieces of respective frequencies a, b, c, and d, andBatchRead(<α>; <β>; j₀, . . . , j_(m−1)) represents a function ofgenerating secure text (<α[β+j₀ mod n]>, . . . , <α[β+j_(m−1) mod n]>)having a size of m from secure text <α>=(<α[0]>, <α[1]>, . . . ,<α[n−1]>) having a size of n, the secure computation device comprisescircuitry configured to: determine i₀, i₁, x₀ and x₁ that satisfy i₀≤i₁and x₀≤x₁; compute f(x₀), . . . , f(x₁), and generate an array M=(f(x₀),. . . , f(x₁)), for a freely selected function f(x); secure the array M,and generates a secure text array <M>=(<f(x₀)>, . . . , <f(x₁)>); andexecute following formulae, and generate a function value secure text(<f(a_(i))>, <f(b_(i))>, <f(c_(i))>, <f(d_(i))>) (i₀≤i <_(i)),(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>

,<f(a _(i) ₁ )>)←BatchRead(<M>;<a>;i ₀ ,i ₀+1,

,i ₁),(<f(b _(i) ₀ )>,<f(b _(i) ₀ ₊₁)>,

,<f(b _(i) ₁ )>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1,

,−i ₁),(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>,

,<f(c _(i) ₁ )>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1,

,−i ₁),(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>,

,<f(d _(i) ₁ )>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1,

,i ₁)
 2. The secure computation system according to claim 1, wherein tocompute a probability p_(i) (i₀≤i≤i₁) defined by a following equation,the circuitry computes f(x₀), . . . , f(x₁), with the function f(x)being assumed as f(x):=x!,$p_{i} = \frac{{f\left( {a + b} \right)}{f\left( {c + d} \right)}{f\left( {a + c} \right)}{f\left( {b + d} \right)}}{{f\left( {a + b + c + d} \right)}{f\left( a_{i} \right)}{f\left( b_{i} \right)}{f\left( c_{i} \right)}{f\left( d_{i} \right)}}$3. The secure computation system according to claim 1, wherein tocompute log p_(i) (i₀≤i≤i₁) defined by a following equation andsubsequently compute a probability p_(i)=exp(log p_(i)), the circuitrycomputes f(x₀), . . . , f(x₁), with the function f(x) being assumed asf(x):=log(x!),log p _(i) =f(a+b)+f(c+d)+f(a+c)+f(b+d)−f(a+b+c+d)−f(a _(i))−f(b_(i))−f(c _(i))−f(d _(i))
 4. A secure computation device, wherein a, b,c, and d are non-negative integers, a is a frequency on a first row anda first column in a 2×2 contingency table, b is a frequency on the firstrow and a second column in the contingency table, c is a frequency onthe second row and the first column in the contingency table, d is afrequency on the second row and the second column in the contingencytable, <a>, <b>, <c>, and <d>are secure text pieces of respectivefrequencies a, b, c, and d, and BatchRead(<α>; <β>; j₀, . . . , j_(m−1))represents a function of generating secure text (<α[β+j₀mod n]>, . . . ,<α[β+j_(m−1) mod n]>) having a size of m from secure text <α>=(<α[0]>,<α[1]>, . . . , <α[n−1]>) having a size of n, the secure computationdevice comprises circuitry configured to: determine i₀, i₁, x₀ and x₁that satisfy i₀≤i₁ and x₀x₁; compute f(x₀), . . . , f(x₁), and generatesan array M=(f(x₀), . . . , f(x₁)), for a freely selected function f(x);secure the array M, and generate a secure text array <M>=(<f(x₀)>, . . ., <f(x₁)>); and execute following formulae, and generate a functionvalue secure text (<f(a_(i))>, <f(b_(i))>, <f(c_(i))>, <f(d_(i))>) (i₀≤i≤i₁),(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>,

,<f(a _(i) ₁ )>)←BatchRead(<M>;<a>;i ₀ ,i ₀+1,

,i ₁),(<f(b _(i) ₀ )>,<f(b _(i) ₀ ₊₁)>,

,<f(b _(i) ₁ )>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1,

,−i ₁),(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>,

,<f(c _(i) ₁ )>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1,

,−i ₁),(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>,

,<f(d _(i) ₁ )>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1,

,i ₁)
 5. A secure computation method, wherein a, b, c, and d arenon-negative integers, a is a frequency on a first row and a firstcolumn in a 2×2 contingency table, b is a frequency on the first row anda second column in the contingency table, c is a frequency on the secondrow and the first column in the contingency table, d is a frequency onthe second row and the second column in the contingency table, <a>, <b>,<c>, and <d>are secure text pieces of respective frequencies a, b, c,and d, and BatchRead(<α>; <β>; j₀, . . . , j_(m−1)) represents afunction of generating secure text (<α[β+j₀mod n]>, . . . , <α[β+j_(m−1)mod n]>) having a size of m from secure text <α>=(<α[0]>, <α[1]>, . . ., <α[n−1]>) having a size of n, the secure computation methodcomprising: determining i₀, i₁, x₀ and x₁ that satisfy i₀≤i₁ and x₀x₁ bycircuitry of a secure computation device; computing f(x₀), . . . ,f(x₁), and generating an array M=(f(x₀), . . . , f(x₁)), for a freelyselected function f(x) by the circuitry of the secure computationdevice; securing the array M, and generating a secure text array<M>=(<f(x₀)>, . . . , <f(x₁)>) by the circuitry of the securecomputation device; and executing following formulae, and generating afunction value secure text (<f(a_(i))>, <f(b_(i))>, <f(c_(i))>,<f(d_(i))>) (i₀≤i ≤i₁) by the circuitry of the secure computationdevice,(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>,

,<f(a _(i) ₁ )>)←BatchRead(<M>;<a>;i ₀ ,i ₀+1,

,i ₁),(<f(b _(i) ₀ )>,<f(b _(i) ₀ ₊₁)>,

,<f(b _(i) ₁ )>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1,

,−i ₁),(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>,

,<f(c _(i) ₁ )>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1,

,−i ₁),(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>,

,<f(d _(i) ₁ )>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1,

,i ₁)
 6. (canceled)
 7. A non-transitory computer readable mediumincluding computer executable instructions that make a securecomputation device perform a method, wherein a, b, c, and d arenon-negative integers, a is a frequency on a first row and a firstcolumn in a 2×2 contingency table, b is a frequency on the first row anda second column in the contingency table, c is a frequency on the secondrow and the first column in the contingency table, d is a frequency onthe second row and the second column in the contingency table, <a>, <b>,<c>, and <d>are secure text pieces of respective frequencies a, b, c,and d, and BatchRead(<α>; <β>; j₀, . . . , j_(m−1)) represents afunction of generating secure text (<α[β+j₀mod n]>, . . . , <α[β+j_(m−1)mod n]>) having a size of m from secure text <α>=(<α[0]>, <α[1]>, . . ., <α[n−1]>) having a size of n, the method comprising: determining i₀,i₁, x₁ and x₁ that satisfy i₀≤i₁ and x₀≤x₁; computing f(x₀), . . . ,f(x₁), and generating an array M=(f(x₀), . . . , f(x₁)), for a freelyselected function f(x); securing the array M, and generating a securetext array <M>=(<f(x₀)>, . . . , <f(x₁)>); and executing followingformulae, and generating a function value secure text (<f(a_(i))>,<f(b_(i))>, <f(c_(i))>, <f(d_(i))>),(<f(a _(i) ₀ )>,<f(a _(i) ₀ ₊₁)>,

,<f(a _(i) ₁ )>)←BatchRead(<M>;<a>;i ₀ ,i ₀+1,

,i ₁),(<f(b _(i) ₀ )>,<f(b _(i) ₀ ₊₁)>,

,<f(b _(i) ₁ )>)←BatchRead(<M>;<b>;−i ₀,−(i ₀+1,

,−i ₁),(<f(c _(i) ₀ )>,<f(c _(i) ₀ ₊₁)>,

,<f(c _(i) ₁ )>)←BatchRead(<M>;<c>;−i ₀,−(i ₀+1,

,−i ₁),(<f(d _(i) ₀ )>,<f(d _(i) ₀ ₊₁)>,

,<f(d _(i) ₁ )>)←BatchRead(<M>;<d>;i ₀ ,i ₀+1,

,i ₁)